[PATCH] Use canonical hostname for DNS SSHFP lookup
Damien Miller
djm at mindrot.org
Mon Nov 29 10:47:10 EST 2010
On Sun, 28 Nov 2010, Jan Andres wrote:
> In the current implementation, ssh always uses the hostname supplied by
> the user directly for the SSHFP DNS record lookup. This causes problems
> when using the domain search path, e.g. I have "search example.com" in my
> resolv.conf and then do a "ssh host", I will connect to host.example.com,
> but ssh will query the DNS for an SSHFP record of "host.", not
> "host.example.com.".
>
> The patch below attempts to fix this issue by having getaddrinfo()
> return the canonical host name from the lookup, and passes this on so it
> can be used in the SSHFP record query.
>
> As a side-effect, the patch will completely suppress the SSHFP lookup if
> establishing an SSH1 connection, as RSA1 keys cannot be stored in SSHFP
> records anyway.
>
> The getaddrinfo() implementation in openbsd-compat/fake-rfc2553.c is
> also updated to support the AI_CANONNAME flag.
>
> I don't use OpenBSD, so the patch was prepared against the latest
> snapshot of the portable OpenSSH version. Sorry if this causes any
> inconvenience.
I looked at this a while ago and rejected this approach as trusting the
DNS too much. See the thread "Re: Question about host certificates" on
this list from mid-June this year.
What we really (IMHO) need is better feedback from the local resolver as
to how it transformed the name before external resolution.
There is a hackish workaround for recent OpenSSH - in ~/.ssh/config you
can do:
Hostname *.* *:* :*
Hostname %h
Hostname *
Hostname %h.your.domain.com
-d
More information about the openssh-unix-dev
mailing list